kritis-validation-hook is a key component for verifying image signatures to guarantee that only trusted containers are deployed. You can use signature verification to ensure that only images signed by trusted authorities are deployed, which lowers the risks of malicious code attacks. This topic describes how kritis-validation-hook works with step-by-step examples.

Background information

Based on the open-source project kritis, kritis-validation-hook is integrated with Container Registry (ACR) to support signature verification of images that are signed by using Key Management Service (KMS). kritis-validation-hook works with Security Center, KMS, and ACR to implement a fully automated signature signing and verification process, helping you build a more secure software supply chain.

Example

The following example demonstrates how kritis-validation-hook works by enabling image signature verification for the default namespace.
Note This example skips the steps of image signing because it is not included in the scope of kritis-validation-hook. The signature information used in this example is as follows:
  • The address of the image signed by using KMS is kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45.
  • The KMS public key is stored in file publickey.txt.
  • The KMS key ID is 4a2ef103-5aa3-4220-89ee-kms-key-id.
  • The Container Registry namespace that corresponds to the default namespace is 13579-namespace.
  1. Run the following code to create an AttestationAuthority object as a trusted authority.
    The following code configures the preceding KMS public key information:
    $ cat <<EOF > AttestationAuthority.yaml
    apiVersion: kritis.grafeas.io/v1beta1
    kind: AttestationAuthority
    metadata:
      name: 13579-namespace
    spec:
      noteReference: namespaces/13579-namespace
      publicKeyData: $(cat publickey.txt | base64 | tr -d '\n')
      publicKeyId: 4a2ef103-5aa3-4220-89ee-kms-key-id
    EOF
    
    $ kubectl apply -f AttestationAuthority.yaml
  2. Run the following code to create a GenericAttestationPolicy object to declare the attestation policy and which trusted authority is used to verify signatures.
    $ cat <<EOF > GenericAttestationPolicy.yaml
    apiVersion: kritis.grafeas.io/v1beta1
    kind: GenericAttestationPolicy
    metadata:
      name: demo-gap
    spec:
      attestationAuthorityNames:
      - 13579-namespace
    EOF
    
    $ kubectl apply -f GenericAttestationPolicy.yaml
  3. Run the following commands to test the signature verification function and verify that images not signed by the trusted authority are not deployed.
    $ kubectl create deployment test-denied --image=alpine:3.11
    Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attested
    
    $ kubectl create deployment test-denied --image=kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine:3.11
    Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine:3.11 is not attested
  4. Run the following command to test the signature verification function and verify that the image signed by the trusted authority has been deployed.
    $ kubectl create deployment test-allow --image=kritis-demo-registry.cn-hangzhou.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45
    deployment.apps/test-allow created

Next up

kritis-validation-hook will work with other Alibaba Cloud services to provide features including, but not limited to, the following ones:
  • Immutable image tags. With immutable tags, you do not need to specify the image digest during signature verification. This helps improve user experience.
  • Image vulnerability detection. This feature prevents you from deploying images that are exposed to vulnerabilities of certain severity levels, which further lowers security risks.